According to Raff, a specially-constructed URL sent in an e-mail to the Mail program can appear to the user of that program as if it is for a trusted domain, such as ebay.com or chase.com. Click on the link and it will load in Safari still showing the false trusted domain in the address bar. It's a phisher's dream.

Raff says that Apple has acknowledged the flaw in the Mail program and is investigating the Safari side of the problem. The company is not famous for quick action in such cases, but it has been known to happen. In the meantime, Raff recommends that you avoid clicking on links in e-mails.